https://live.paloaltonetworks.com/t5/globalprotect-discussions/user-id-mapping-works-on-dc-but-not-intermittent-on-branches-for/m-p/1248039#M7282 <P>Hi All,</P><P>We have a PA-1410 at DC (with GlobalProtect) and PA-440/410 at branches.<BR />Microsoft Intune enrolled devices users authenticate via SAML-Azure AD, non-Intune users via LDAP on-prem AD. User-ID is learned on the DC firewall and redistributed to branches using existing redistribution profiles.<BR /><BR /></P><P>Working fine for:</P><P>Non-Intune internal/external network users</P><P>Intune users from external network (via GP)</P><P>Intune users on internal network at DC<BR /><BR /></P><P>Issue:</P><P>Intune users on internal network at branch sites do not get User-ID mapping or it is intermittent.</P><P>In all cases, DC firewall is learning and redistributing the mappings.</P><P>Same design works at DC but not consistently at branches only for Intune internal users.<BR /><BR /></P><P>Has anyone seen this before?</P><P>Any pointers or real-world fixes would be really appreciated.&nbsp;</P> Thu, 12 Feb 2026 12:18:03 GMT abhishek.kumar 2026-02-12T12:18:03Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/user-id-mapping-works-on-dc-but-not-intermittent-on-branches-for/m-p/1248039#M7282 <P>Hi All,</P><P>We have a PA-1410 at DC (with GlobalProtect) and PA-440/410 at branches.<BR />Microsoft Intune enrolled devices users authenticate via SAML-Azure AD, non-Intune users via LDAP on-prem AD. User-ID is learned on the DC firewall and redistributed to branches using existing redistribution profiles.<BR /><BR /></P><P>Working fine for:</P><P>Non-Intune internal/external network users</P><P>Intune users from external network (via GP)</P><P>Intune users on internal network at DC<BR /><BR /></P><P>Issue:</P><P>Intune users on internal network at branch sites do not get User-ID mapping or it is intermittent.</P><P>In all cases, DC firewall is learning and redistributing the mappings.</P><P>Same design works at DC but not consistently at branches only for Intune internal users.<BR /><BR /></P><P>Has anyone seen this before?</P><P>Any pointers or real-world fixes would be really appreciated.&nbsp;</P> Thu, 12 Feb 2026 12:18:03 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/user-id-mapping-works-on-dc-but-not-intermittent-on-branches-for/m-p/1248039#M7282 abhishek.kumar 2026-02-12T12:18:03Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/user-id-mapping-works-on-dc-but-not-intermittent-on-branches-for/m-p/1248197#M7285 <P>When Intune users are at a branch, their traffic hits the local PA-440/410, but because they authenticate via SAML (Azure AD) rather than local AD, there are no security logs for a local User-ID agent to scrape. If the DC firewall is redistributing mappings based on a GlobalProtect inner-tunnel IP or a specific DC-centric subnet, those mappings won't match the local branch LAN IP of the device.</P><P>To fix this, ensure your Redistribution Filter includes the branch IP subnets and verify that the branch firewalls are configured as Log Receivers or have the DC firewall added as a User-ID Agent. Additionally, since Intune devices often use randomized MAC addresses or transition between Wi-Fi/Wired interfaces, consider deploying the Palo Alto GlobalProtect app in "Internal Gateway" mode; this forces the client to report its current internal IP directly to the firewall, bypassing the need for unpredictable log scraping or redistribution lag.</P> Mon, 16 Feb 2026 05:53:34 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/user-id-mapping-works-on-dc-but-not-intermittent-on-branches-for/m-p/1248197#M7285 dora745nevels 2026-02-16T05:53:34Z